Operation Endgame targets malware networks in global crackdown

In a sweeping international crackdown coordinated from Europol’s headquarters, law enforcement agencies from the United States and 10 other countries have disrupted three of the world’s most widely used cybercriminal malware operations. Conducted Nov. 10-13, Operation Endgame focused on neutralizing the Rhadamanthys info-stealing malware, the VenomRAT remote access trojan, and the Elysium botnet — tools authorities say enabled hackers to infect hundreds of thousands of computers and steal millions of sensitive credentials across the globe.

The effort involved law enforcement and judicial agencies from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. According to Europol, the operation led to the arrest of the main VenomRAT suspect in Greece on Nov. 3, searches of 11 locations across Europe, and the seizure or disruption of 1,025 servers and 20 internet domains used by criminals. Coordinated support from over 30 private cybersecurity organizations further assisted the investigation, with companies such as Crowdstrike, Proofpoint, Bitdefender, and the Shadowserver Foundation helping to analyze malicious activity and notify affected network operators.

The law enforcement action is the latest phase of Operation Endgame, an ongoing international initiative to curtail ransomware and malware infrastructure. Previous phases of the operation targeted similar cybercrime enablers over the past two years. Officials said the dismantled infrastructure included hundreds of thousands of computers running malware and several million stolen credentials.

The Shadowserver Foundation, which aggregates global malware infection data, said it sent alerts about Rhadamanthys infections between March and November to national security response teams in 175 countries and more than 10,000 network owners. Europol added that the principal suspect behind the infostealer controlled access to over 100,000 cryptocurrency wallets, with potential losses reaching millions of euros. Many victims whose credentials and devices were compromised continued to operate their systems unaware, authorities said.

VenomRAT, which evolved from earlier remote access trojans, was reportedly marketed for around $150 per month and delivered primarily through malicious email attachments. It allowed users to open backdoors on compromised computers, effectively taking over devices remotely and sometimes exfiltrating sensitive data or launching additional attacks.

Authorities also contacted users of compromised criminal services, appealing for information and exposing some users through an operation-dedicated website and Telegram channel. As these offenders increasingly leverage global infrastructure, authorities suggest that coordinated responses are likely to remain a key feature in future takedowns. 

Operation Endgame is ongoing, with officials indicating that additional actions may follow as investigations continue.